Twitter and New York Times clash with hackers for control of their sites

White hats watch as epic stuggle for domains plays out in real time.

For a good chunk of Tuesday, website administrators at Twitter, The New York Times, and other high-profile media outlets appeared to be locked in a high-stakes battle with self-proclaimed Syrian hackers for control of their Internet domains. Just as quickly as twitter.co.uk, nytimes.com, and other domains were returned to their rightful owners, Internet records showed they'd be seized all over again and made to point to a Russian Web host known to cater to purveyors of drive-by malware exploits and other online nasties.

In between these dueling sides was Melbourne IT, an Australian domain registrar that managed the domain names not only for Twitter and the NYT, but also for The Huffington Post, which security researchers also said also experienced problems. Update: A spokesman for the company told The Australian Financial Review the outages were the result of a breach of its security. The login credentials of one of the company's resellers were compromised, allowing attackers to access servers and change settings that direct users to the correct servers.

One of the researchers following the clash was HD Moore, chief research officer of security firm Rapid7, who watched the struggle play out more or less in real time. At one point on Tuesday afternoon, his searches showed the official domain name servers for twitter.co.uk as being ns1.syrianelectronicarmy.com and ns2.syrianelectronicarmy.com. A half-hour later, the name servers had been changed back to the much more benign servers at a4.nstld.com, f4.nstld.com, g4.nstld.com, and l4.nstld.com.

The pattern repeated itself over and over, not just for the Twitter domain but for the addresses belonging to the NYT and The Huffington Post as well, he said. Compounding the turmoil was the time required for name-server changes to make their way to end users. Service providers often cache the records for high-traffic sites for as long as a day at a time. Since the name server is the mechanism that translates the human-friendly domain name into the network-routable IP address, there was no easy way for the legitimate operators to ensure their sites were available to everyone on the Internet.

"The scary thing about this is that once you've changed the DNS for the organization there's not much Twitter can do about it," Moore observed. "They have to wait to get the DNS reset to the previous value. If you watch the whois information right now, it's bouncing back and forth between the Syrian Electronic Army and The New York Times. The New York Times domains are constantly going back and forth and the SEA guys are trying to redirect the websites to a server they control."

At time of writing, both twitter.com and nytimes.com appeared to be under the control of their rightful owners, while twitter.co.uk remained unavailable. A whois search showed its name servers were still listed as ns1.syrianelectronicarmy.com and ns2.syrianelectronicarmy.com.

The fact that all of the affected domains were managed by Melbourne IT at the time that the attacks were initiated has led to speculation that the hacks are the result of some sort of breach at the Australian registrar and Web host. One possibility is that the hackers exploited a server flaw that allowed them to hijack a domain control panel that a Melbourne IT employee uses to change name-server settings and registration information. Indeed, security consultant Mark Burnett unearthed this Pastebin link, which appeared to show someone getting unauthorized terminal access to the company's servers. The more likely explanation—given the SEA's penchant for phishing attacks—is that the hackers were able to coax the log-in credentials from a privileged employee and the compromised credentials haven't been revoked yet.

Here's hoping the SNAFU gets resolved soon. The server to which the Syrian hackers' name servers are sending would-be visitors is located at the IP address 141.105.64.37—a known source of malware and phishing attacks. Someone at Melbourne IT should put out this fire promptly and then tell the rest of us exactly what's going on.

Among other things, the SEA is not actually part of the government any more than Anonymous is part of the US government. Even if they were, cutting off the internet to all the innocent civilians there is not particularly just.

Turning off the internet to a country is not actually that easy to do, especially not without cutting it off to places you don't want to cut off.

And of course, hacking a website is most certainly not on the same scale as an act of war, the proper response is not to declare war on any country that hacks us, if we did we'd be at war with basically everyone.

62 Reader Comments

Sounds like they were panicking and just setting the DNS records back, instead of finding the root cause which allowed hackers access to the DNS settings in the first place.

Here's an idea. As soon as you experience a DNS hijack switch registrars and DNS hosts while you continue to look for the root hack. (DNS record changes propagate really fast now.) It is unlikely that the new hosts will fall to the same attack. It would at least buy the white hats more time, if not stop the hack all together.

...The server to which the Syrian hackers' name servers are sending would-be visitors is located at the IP address 141.105.64.37—a known source of malware and phishing attacks....

There may be some risk, then, in the repetitive, "will it load in my browser yet?" troubleshooting method for regular users of any effected site. And many users will take that approach, simply trying again later. And again, later. And ... so on.

Is that address delivering any content? I've not seen browser screenshots, for example. Before looking into it (independently, and then seeing news of it), I was just getting timeouts there. Perhaps the server at that address isn't up for the traffic load ... but there's no telling what they're doing behind the scenes as people hit that server.

I hope that Ars does an update, or a new article (preferable), when it gets worked out.

Sounds like they were panicking and just setting the DNS records back, instead of finding the root cause which allowed hackers access to the DNS settings in the first place.

Here's an idea. As soon as you experience a DNS hijack switch registrars and DNS hosts while you continue to look for the root hack. (DNS record changes propagate really fast now.) It is unlikely that the new hosts will fall to the same attack. It would at least buy the white hats more time, if not stop the hack all together.

My understanding of the way domain name registration works is that you can't do that. How it works is that if you want a domain you go to a registrar, pay them some money and tell them the IP addresses you want your domain name(s) to point to, they than square things with whatever company control the Top Level Domain your domain name belongs in (and there is only one for there is but a single set of records), after that the registrar is given to power to set where a given domain name points on the DNS servers

While it would be possible to change which registrar you use it would not be possible to do it on this sort of time scale, so as to prevent people from stealing domain names

Sounds like they were panicking and just setting the DNS records back, instead of finding the root cause which allowed hackers access to the DNS settings in the first place.

Here's an idea. As soon as you experience a DNS hijack switch registrars and DNS hosts while you continue to look for the root hack. (DNS record changes propagate really fast now.) It is unlikely that the new hosts will fall to the same attack. It would at least buy the white hats more time, if not stop the hack all together.

This. Resetting the records was probably not the worst idea once, but to keep doing that and play tug-of-war instead of changing registrar and host seems kind of dumb to me.

Sounds like they were panicking and just setting the DNS records back, instead of finding the root cause which allowed hackers access to the DNS settings in the first place.

Here's an idea. As soon as you experience a DNS hijack switch registrars and DNS hosts while you continue to look for the root hack. (DNS record changes propagate really fast now.) It is unlikely that the new hosts will fall to the same attack. It would at least buy the white hats more time, if not stop the hack all together.

This. Resetting the records was probably not the worst idea once, but to keep doing that and play tug-of-war instead of changing registrar and host seems kind of dumb to me.

Like I pointed out that likely isn't possible on the time scale people are talking about

My first thought was why the hell are these major sites using Melboune IT? There are pricey registrars impractical for the average WP blog that cater to high profile sites like this that need something a bit more professional (and who aren't giving resellers API access).

If the NYT called up someone like MarkMonitor and gave them company plastic, credentials and a high level contact at Melbourne, this would be all over and done with. There's a legit market for bulletproof registrars/DNS services and it has existed for some time because this is a known attack vector.

Watch very closely with whats going on in Syria right now. Our government is trying to find a reason to take control of the oil in that country, and its looking like there are alot of false flag operations to paint Syria in a negative light.

Obama is already planning to send troops in due to chemical weapons being used. There have been reports numerous times that this was happening with no real evidence. Now its looking like our government is trying to fabricate the evidence.

This domain attack could be another false flag operation. Follow the money.

Watch very closely with whats going on in Syria right now. Our government is trying to find a reason to take control of the oil in that country, and its looking like there are alot of false flag operations to paint Syria in a negative light.

Obama is already planning to send troops in due to chemical weapons being used. There have been reports numerous times that this was happening with no real evidence. Now its looking like our government is trying to fabricate the evidence.

This domain attack could be another false flag operation. Follow the money.

Questioning the government is fine and all but you might want to cool it with the conspiracy theories that go well beyond the scope of this piece. Throwing out baseless claims and thinking it has merit just does not work here. Try coming up with something with substance and for the most part, on topic.

Sounds like they were panicking and just setting the DNS records back, instead of finding the root cause which allowed hackers access to the DNS settings in the first place.

Here's an idea. As soon as you experience a DNS hijack switch registrars and DNS hosts while you continue to look for the root hack. (DNS record changes propagate really fast now.) It is unlikely that the new hosts will fall to the same attack. It would at least buy the white hats more time, if not stop the hack all together.

Besides a registar transfer usually takes a minimum of three days its is a useless idea because it fails to address the root of the problem. The article states that the most likely situation is that the attackers have gained a higher level of access than the owner of the domain as it is probably the same as the registrar's personnel. You have to revoke the attackers privileges first so they can not cancel the legitimate transfer attempts and get you stucked on the same back an forth game of the DNS servers. And worst, the attacker could also transfer the domain to another registar so the current registar may have been forced to block any transfer of all it's domains. I bet that the domain owners are not the ones who are fighting this battle as they probably have escalated it to the registar. In my opinion the registar has failed to respond with the drastic measures this event requires: Blocking the access to the management system to every one except a few trusted users accessing it from inside the corporate network.

Watch very closely with whats going on in Syria right now. Our government is trying to find a reason to take control of the oil in that country, and its looking like there are alot of false flag operations to paint Syria in a negative light.

Obama is already planning to send troops in due to chemical weapons being used. There have been reports numerous times that this was happening with no real evidence. Now its looking like our government is trying to fabricate the evidence.

This domain attack could be another false flag operation. Follow the money.

Questioning the government is fine and all but you might want to cool it with the conspiracy theories that go well beyond the scope of this piece. Throwing out baseless claims and thinking it has merit just does not work here. Try coming up with something with substance and for the most part, on topic.

Im not interested in what you think. Im asking people to watch what is happening in syria and if you look up what is happening in the country yourself you would see that there is some truth to this.

Secondly, it is on topic. Its about attacks supposedly coming from a name connected with the country. Think about why this is happening now? of all times? when our government is just about to send troops into the country. If you dont want to do the math yourself then dont waste your time responding if you got nothing to worthy to contribute.

Sorry but when making claims, the burden of proof is on you. The typical dialogue of, "look it up yourself" that gets repeated by those similar to yourself really do a disservice to themselves by making baseless claims. Furthermore, it is difficult to have a worthy contribution when the original comment is lacking in any substance.

This piece is about what has happened to the New York Times and Twitter. This is not a platform by which making a single reference to the topic, gives you the validation to preach your opinion. Alas, I am done with this topic since there will not be any development and only lead downward into an abyss void of any relevance. Say what you will but I am done, I see this as being a pointless cause.

Was checking out the other articles and must say, Marc Frons (chief information officer for the New York Times) sure has color language. He commented on the seriousness of what had happened with this cute little comment.

Quote:

In terms of the sophistication of the attack, this is a big deal,” Mr. Frons said. “It’s sort of like breaking into the local savings and loan versus breaking into Fort Knox. A domain registrar should have extremely tight security because they are holding the security to hundreds if not thousands of Web sites.

What's with the Syrian hacker attacks? Who are they, and what's their point?

It's Assad. He is hacking the free world! He hates our way of living and we should send bombs his way. Also build a pipeline from quatar to Europe over Syria but that is not relevant to him hating our way of life!!! Oh yea he also gased a lot of people as he was winning and wanted a bigger challenge so we should go in and bomb the shit out of everyone there just to make sure his efforts were not in vain.

Watch very closely with whats going on in Syria right now. Our government is trying to find a reason to take control of the oil in that country, and its looking like there are alot of false flag operations to paint Syria in a negative light.

Obama is already planning to send troops in due to chemical weapons being used. There have been reports numerous times that this was happening with no real evidence. Now its looking like our government is trying to fabricate the evidence.

This domain attack could be another false flag operation. Follow the money.

Questioning the government is fine and all but you might want to cool it with the conspiracy theories that go well beyond the scope of this piece. Throwing out baseless claims and thinking it has merit just does not work here. Try coming up with something with substance and for the most part, on topic.

Im not interested in what you think. Im asking people to watch what is happening in syria and if you look up what is happening in the country yourself you would see that there is some truth to this.

Secondly, it is on topic. Its about attacks supposedly coming from a name connected with the country. Think about why this is happening now? of all times? when our government is just about to send troops into the country. If you dont want to do the math yourself then dont waste your time responding if you got nothing to worthy to contribute.

Sorry but when making claims, the burden of proof is on you. The typical dialogue of, "look it up yourself" that gets repeated by those similar to yourself really do a disservice to themselves by making baseless claims. Furthermore, it is difficult to have a [i]worthy[i/] contribution when the original comment is lacking in any substance.

This piece is about what has happened to the New York Times and Twitter. This is not a platform by which making a single reference to the topic, gives you the validation to preach your [i]opinion[i/]. Alas, I am done with this topic since there will not be any development and only lead downward into an abyss void of any relevance. Say what you will but I am done, I see this as being a pointless cause.

The burden of proof response is a well conceived misconception perpetuated by people in power to defeat people who are dissenting against a established system of power and control.

You and you alone are responsible for discovering the truth. Nobody is going to lead you to it, you have to find it for yourself.

As we are all human beings my goal was to point out what I have seen while looking at the news on Syria. Im not sure if its even true, but from what I have been reading about how our country operates to further our interests, this looks like a possibility.

If there is a resource in a country and bad things are happening in it, its a good bet that its related to that resource looking at the parties involved.

Over and out.

Sorry, but what? If you have previously sought out this truth, why not share it? Let us know about it? Don't keep it hidden from the public, which you're (somewhat rightly) accusing government bodies of doing. Just insinuating you have proof and going off at people (on the internet, of all places) for not believing you is just ... well, not the smartest course of action to prove how right you are.

Watch very closely with whats going on in Syria right now. Our government is trying to find a reason to take control of the oil in that country, and its looking like there are alot of false flag operations to paint Syria in a negative light.

Obama is already planning to send troops in due to chemical weapons being used. There have been reports numerous times that this was happening with no real evidence. Now its looking like our government is trying to fabricate the evidence.

This domain attack could be another false flag operation. Follow the money.

Questioning the government is fine and all but you might want to cool it with the conspiracy theories that go well beyond the scope of this piece. Throwing out baseless claims and thinking it has merit just does not work here. Try coming up with something with substance and for the most part, on topic.

Im not interested in what you think. Im asking people to watch what is happening in syria and if you look up what is happening in the country yourself you would see that there is some truth to this.

Secondly, it is on topic. Its about attacks supposedly coming from a name connected with the country. Think about why this is happening now? of all times? when our government is just about to send troops into the country. If you dont want to do the math yourself then dont waste your time responding if you got nothing to worthy to contribute.

Sorry but when making claims, the burden of proof is on you. The typical dialogue of, "look it up yourself" that gets repeated by those similar to yourself really do a disservice to themselves by making baseless claims. Furthermore, it is difficult to have a [i]worthy[i/] contribution when the original comment is lacking in any substance.

This piece is about what has happened to the New York Times and Twitter. This is not a platform by which making a single reference to the topic, gives you the validation to preach your [i]opinion[i/]. Alas, I am done with this topic since there will not be any development and only lead downward into an abyss void of any relevance. Say what you will but I am done, I see this as being a pointless cause.

The burden of proof response is a well conceived misconception perpetuated by people in power to defeat people who are dissenting against a established system of power and control.

You and you alone are responsible for discovering the truth. Nobody is going to lead you to it, you have to find it for yourself.

As we are all human beings my goal was to point out what I have seen while looking at the news on Syria. Im not sure if its even true, but from what I have been reading about how our country operates to further our interests, this looks like a possibility.

If there is a resource in a country and bad things are happening in it, its a good bet that its related to that resource looking at the parties involved.

Over and out.

Yeah, see, as someone who was told for years that I should put on a tinfoil hat when I said things like "The NSA is monitoring emails" and things of that nature, I feel I should point out that it is only wrong for people to say that when they are dismissing evidence you have shown them. When you say with absolutely no evidence that this, or 9/11 or anything else is a false flag operation, that is one hell of a claim and extraordinary claims require extraordinary evidence.

I wish them luck getting a response from Melbourne IT, the most unresponsive registrar I have ever had the misfortune to deal with.

I think the time has come to get serious about building resilience in the domain administration. The kind of resilience the internet protocol is known for. Especially after seeing how vulnerable registrars are. Now that networks are faster and more dependable it would make sense to have a dual (or triple) name server lookups, backed up with certificates. Hackers would have a harder time breaking into three geographically dispersed servers at the same time and they would leave more traces.

I wish them luck getting a response from Melbourne IT, the most unresponsive registrar I have ever had the misfortune to deal with.

I think the time has come to get serious about building resilience in the domain administration. The kind of resilience the internet protocol is known for. Especially after seeing how vulnerable registrars are. Now that networks are faster and more dependable it would make sense to have a dual (or triple) name server lookups, backed up with certificates. Hackers would have a harder time breaking into three geographically dispersed servers at the same time and they would leave more traces.

It may be time to have a number of private DNS server systems. Simple if presented right and combed like the email servers have been. Black hat/white hat beats gov to the grounding of bad guys everytime. Its depends on the popularity. I remember the fellow that made an alternate dns plugin. The USA threatened him like they threaten all nations via riaa and mpaa goods...black trading lists...aiding and abetting...lol. DNS is text and free speech! It would also solve the mommy who's kid came of age or husband looks at porn. Pick the DNS that present your social values.The catch all server would remain for us junkies. But millennial kids becoming mom and pop, they need ipops and easy viewing. IOS without the complexities is what they appear to want according to wired marketing and democratic leaders.

As an Australian I feel bad about this, but on the other side, maybe it'll cause Melbourne IT to wake up a bit as far as their account security goes. I've never been impressed by it, particularly given the prices they charge for their services.

Yeah, see, as someone who was told for years that I should put on a tinfoil hat when I said things like "The NSA is monitoring emails" and things of that nature, I feel I should point out that it is only wrong for people to say that when they are dismissing evidence you have shown them. When you say with absolutely no evidence that this, or 9/11 or anything else is a false flag operation, that is one hell of a claim and extraordinary claims require extraordinary evidence.

If you look at what I said you will see that I didnt state any facts. Only what I think might be the truth. I used words like "It looks like.." and "could be..."

Most people would settle for any evidence at all.

The Syrian Electronic Army is a pro-Assad organization that says it fights the misinformation being spread about (their country|him) and do so by hijacking trusted news outlets and redirecting to malware infested sites. http://en.wikipedia.org/wiki/Syrian_Electronic_Army

There isn't a conspiracy hiding behind every event. There isn't even bad evidence of a conspiracy hiding behind every event.

Yeah, see, as someone who was told for years that I should put on a tinfoil hat when I said things like "The NSA is monitoring emails" and things of that nature, I feel I should point out that it is only wrong for people to say that when they are dismissing evidence you have shown them. When you say with absolutely no evidence that this, or 9/11 or anything else is a false flag operation, that is one hell of a claim and extraordinary claims require extraordinary evidence.

If you look at what I said you will see that I didnt state any facts. Only what I think might be the truth. I used words like "It looks like.." and "could be..."

"I can get away with saying inane offtopic bullshit by prefacing them with "It looks like" and "it could be" so I don't have to back up anything I say with anything that can even be remotely considered facts."

Among other things, the SEA is not actually part of the government any more than Anonymous is part of the US government. Even if they were, cutting off the internet to all the innocent civilians there is not particularly just.

Turning off the internet to a country is not actually that easy to do, especially not without cutting it off to places you don't want to cut off.

And of course, hacking a website is most certainly not on the same scale as an act of war, the proper response is not to declare war on any country that hacks us, if we did we'd be at war with basically everyone.